At XpresServers, we constantly strive to deliver total customer satisfaction with all our hosting services. That’s why we offer fast, reliable and secure service that’s backed by our friendly, knowledgeable support team, 24/7.

Password

Introduction

This tutorial will walk you through password-protecting assets on an Apache web server running on Ubuntu 18.04. Completing these steps will provide your server with additional security so that unauthorized users cannot access certain parts of your page.

For a more detailed version of this tutorial, with more detailed explanations of each step, please refer to How To Set Up Password Authentication with Apache on Ubuntu 18.04.

Prerequisites

In order to complete this tutorial, you will need access to the following on an Ubuntu 18.04 server:

Step 1 — Install the Apache Utilities Package

We’ll install a utility called htpasswd, part of the apache2-utils package to manage usernames and passwords with access to restricted content.

sudo apt-get update

sudo apt-get install apache2-utils

Step 2 — Create the Password File

We’ll create the first user as follows (replace `first_username with username of your choice):

sudo htpasswd -c /etc/apache2/.htpasswd first_username

You will be asked to supply and confirm a password for the user.

Leave out the -c argument for any additional users you wish to add so you don’t overwrite the file:

sudo htpasswd /etc/apache2/.htpasswd another_user

Step 3 — Configure Apache Password Authentication

In this step, we need to configure Apache to check this file before serving our protected content. We will do this by using the site’s virtual host file, but there is another option detailed in the longer tutorial if you don’t have access or prefer to use .htaccess files instead.

Open up the virtual host file that you wish to add a restriction to with a text editor such as nano:

sudo nano /etc/apache2/sites-enabled/default-ssl.conf

Authentication is done on a per-directory basis. In our example, we’ll restrict the entire document root, but you can modify this listing to only target a specific directory within the web space.

Introduction

As a web administrator, you may find it valuable to restrict some parts of a website from visitors, whether temporarily or on a permanent basis. While web applications may provide their own authentication and authorization methods, you can also rely on the web server itself to restrict access if these are inadequate or unavailable.

This tutorial will walk you through password-protecting assets on an Apache web server running on Ubuntu 18.04 in order to provide your server with additional security.

Prerequisites

In order to complete this tutorial, you will need access to an Ubuntu 18.04 server.

In addition, you will need the following setup before you can begin:

A sudo user on your server: You can create a user with sudo privileges by following the Ubuntu 18.04 initial server setup guide.

An Apache2 web server: If you haven’t already set one up, the How To Install the Apache Web Server on Ubuntu 18.04 tutorial can guide you.

A site secured with SSL: How you set this up depends on whether you have a domain name for your site.

If you have a domain name, you can secure your site with Let’s Encrypt, which provides free, trusted certificates. Follow the Let’s Encrypt guide for Apache to set this up.

If you do not have a domain and you are just using this configuration for testing or personal use, you can use a self-signed certificate instead. This provides the same type of encryption, but without the domain validation. Follow the self-signed SSL guide for Apache to get set up.

When all of these are in place, log into your server as the sudo user and continue below.

Step 1 — Installing the Apache Utilities Package

Let’s begin by updating our server and installing a package that we’ll need. In order to complete this tutorial, we will be using a utility called htpasswd, part of the apache2-utils package, to create the file and manage the username and passwords needed to access restricted content.

sudo apt-get update

sudo apt-get install apache2-utils

With this installed, we now have access to the htpasswd command.

Step 2 — Creating the Password File

The htpasswd command will allow us to create a password file that Apache can use to authenticate users. We will create a hidden file for this purpose called .htpasswd within our /etc/apache2 configuration directory.

The first time we use this utility, we need to add the -c option to create the specified passwdfile. We specify a username (sammy in this example) at the end of the command to create a new entry within the file:

sudo htpasswd -c /etc/apache2/.htpasswd sammy

You will be asked to supply and confirm a password for the user.

Leave out the -c argument for any additional users you wish to add so you don’t overwrite the file:

sudo htpasswd /etc/apache2/.htpasswd another_user

If we view the contents of the file, we can see the username and the encrypted password for each record:

Step 3 — Configuring Apache Password Authentication

In this step, we need to configure Apache to check this file before serving our protected content. We can do this in one of two ways: either directly in a site’s virtual host file or by placing .htaccess files in the directories that need restriction. It’s generally best to use the virtual host file, but if you need to allow non-root users to manage their own access restrictions, check the restrictions into version control alongside the website, or have a web application using .htaccess files for other purposes already, check out the second option.

The first option is to edit the Apache configuration and add the password protection to the virtual host file. This will generally give better performance because it avoids the expense of reading distributed configuration files. This option requires access to the configuration, which isn’t always available, but when you do have access, it’s recommended.

Begin by opening up the virtual host file that you wish to add a restriction to. For our example, we’ll be using the default-ssl.conf file that holds the default virtual host installed through Ubuntu’s apache package. Open up the file with a command-line text editor such as nano:

sudo nano /etc/apache2/sites-enabled/default-ssl.conf

Inside, with the comments stripped, the file should look similar to this:

Authentication is done on a per-directory basis. To set up authentication, you will need to target the directory you wish to restrict with a <Directory ___> block. In our example, we’ll restrict the entire document root, but you can modify this listing to only target a specific directory within the web space:

Within this directory block, specify that we are setting up Basic authentication. For the AuthName, choose a realm name that will be displayed to the user when prompting for credentials. Use the AuthUserFile directive to point Apache to the password file we created. Finally, make it a requirement that only a valid-user may access this resource, which means anyone who can verify their identity with a password will be allowed in:

Save and close the file when you are finished. If you are using nano, you can do so by pressing CTRL+X followed by Y then ENTER.

Before restarting the web server, you can check the configuration with the following command:

sudo apache2ctl configtest

If everything checks out and you get Syntax OK as output, you can restart the server to implement your password policy. Since systemctl doesn’t display the outcome of all service management commands, we’ll use the the status to be sure the server is running:

sudo systemctl restart apache2

sudo systemctl status apache2

Now, the directory you specified should be password protected.

Option 2: Configuring Access Control with .htaccess Files

Apache can use .htaccess files in order to allow certain configuration items to be set within a content directory. Since Apache has to re-read these files on every request that involves the directory, which can negatively impact performance, Option 1 is preferred, but if you are already using .htaccess file or need to allow non-root users to manage restrictions, .htaccess files make sense.

To enable password protection using .htaccess files, open the main Apache configuration file with a command-line text editor such as nano:

sudo nano /etc/apache2/apache2.conf

Find the <Directory> block for the /var/www directory that holds the document root. Turn on .htaccess processing by changing the AllowOverride directive within that block from None to All:

Save and close the file when you are finished. If you are using nano, you can do so by pressing CTRL+X followed by Y then ENTER.

Next, we need to add an .htaccess file to the directory we wish to restrict. In our demonstration, we’ll restrict the entire document root (the entire website) which is based at /var/www/html, but you can place this file in any directory where you wish to restrict access:

sudo nano /var/www/html/.htaccess

Within this file, specify that we wish to set up Basic authentication. For the AuthName, choose a realm name that will be displayed to the user when prompting for credentials. Use the AuthUserFile directive to point Apache to the password file we created. Finally, we will require a valid-user to access this resource, which means anyone who can verify their identity with a password will be allowed in:

Creating strong passwords is essential to protecting your Linode and your Linode Cloud Manager account. If you suspect that an unauthorized user has gained access to one of your accounts, you should change the password immediately.

Changing or Resetting Your Linode Cloud Manager Password

If you want to change your password, or you forgot your password and need a new one, you can accomplish these tasks through the Forgot Password webpage. Here’s how: